Revisiting Turning Online Cipher Off

Revisiting Turning Online Cipher Off

Ritam Bhaumik and Mridul Nandi Indian Statistical Institute, Kolkata

[email protected] [email protected]

August 15, 2015

Abstract

In [1], a class of constructions was defined based on layers of secure online ciphers interleaved with simple mixing layers (like reversing and block-shifting). Here we show that an SPRP construction proposed in the work cited is insecure. Howevewr, the same construction is secure under the assumption that the underlying construction is online-but-last ciphers. We include a simpler proof for beyond-birthday security of other constructions proposed in the same work.

1

Introduction

Online ciphers can process plaintexts on the fly, outputting a ciphertext block as soon as the corresponding plaintext block is processed. This makes them a very useful option in many situations where the efficiency of real-time encryption is necessary. ECB and CBC (specified as a mode of operation in [7]) are early examples of online ciphers, and more sophisticated examples can be found in [2] and [6]. However, there are other situations which demand SPRP [3] security. To avoid designing an SPRP from scratch as a new primitive, [1] suggests using two or more passes of a secure online cipher, interleaved with simple publicly known blockwise-linear mixing layers. Here we examine some of the results in [1]. Of other ways of using multiple passes of an online cipher for SPRP security, [4] serves as an example.

LetE be a secure online cipher, E0 _{be a secure online-but-last cipher, and rev}

be a blockwise-reversing layer. Our main results are summarised below:

• We show thatE0_{◦rev◦ E}0 _{is SPRP secure upto the birthday bound.}

• We state a simple method of obtaining a online-but-last security from online security.

• [1] shows thatE ◦rev◦ E ◦rev◦ Eachieves beyond-birthday security against an SPRP adversary. We provide a simpler proof of this result, and obtain cleaner bounds.

• Finally, [1] shows thatE ◦rev◦ E ◦rev◦ E achieves an even better SPRP security when all plaintexts are at least 2m blocks long. Once again we provide a simpler proof of this result (through a minor modification of the former proof), and obtain cleaner bounds.

2

Preliminaries, Notation and Definitions

For a setA, #Awill denote its size. We’ll writeN to denote 2n_{, the number of}

different blocks possible,nbeing the number of bits in one block. For integers

iand j, with 0 ≤i≤j, Pi

j will denote i!

(i−j)!, the number of permutations of

iobjects taken j at a time. (Note that the word permutation will later on be used in a different sense, to be defined.)

Prefixes LetB={0,1}n _{denote the block-space. ThenB}∗_=∪∞

0 Bi denotes all finite block-strings, calledwords. For a wordx,||x||will denote the number of blocks inx. Given wordsxandy, z=xydenotes theconcatenationofx

andy. For a wordzand a blockb, zb will denote the concatenation ofzwith the word containingb as its only block. xis called a prefixofz, ifz=xyfor some y. Given a set T of words,P(T) will denote the set of all prefixes of all words inT. Whenwhas at leastjblocks,w1..jdenotes thej-block prefix ofw.

More generally,wj1..j2 will denote the (j2−j1+ 1)-block contiguous subword

ofw beginning in the j1-th block and ending in thej2-th block. Finally, for a wordw,wR will denote its block-wise reverse.

Online Permutations A permutation E on B∗ _{is a length-preserving}

bi-jection fromB∗ _{to itself. E is called anonline permutation ifE(x) is a prefix}

ofE(y) if and only if x is a prefix of y. E is called an online-but-last per-mutationif for any j, and for any wordsx and y each having j+ 1 or more blocks, E(x)1..j = E(x)1..j if and only if x1..j = x1..j, i.e., it behaves as an

Security Notions For any set S, an object X ∈ S is said to be pseudo-random if X cannot be efficiently distinguished from an object Y sampled uniformly from S. That is, an efficient adversary A who is allowed to make finitely many queries to the oracle cannot determine with a significantly high advantage whether the oracle representsX or Y. (Y is called an ideal random object ofS.) Thus we can have pseudorandom permutations, pseudorandom on-line permutations and pseudorandom onon-line-but-last permutations. (We’ll often saysecureto mean pseudorandom.) Astrong pseudorandom permutation

(or SPRP) is one which is secure against an adversary who is allowed to make queries both to the oracle and its inverse. The SPRP game is described below, while developing the notation we’ll follow.

Basic Notation In an SPRP game, the adversary makesqqueries, no two of them identical. For 1≤i≤q,δiwill denote the direction of thei-th query, with

δi=efor encryption queries andδi =dfor decryption queries; andli denotes the number of blocks in thei-th query. Irrespective ofδi_,pi_{= (P}i

1, ..., Plii) will denote thei-th plaintext, andci_{= (C}i

1, ..., Clii) will denote thei-th ciphertext.P will denote (p1_{, ...,p}q_{) andC will denote (c}1_{, ...,c}q_{). E ={i|δ}i _=e}denotes

the set of encryption query indices, and D = {i |δi _{= d} denotes the set of}

decryption query indices. qE = #E denotes the number of encryption queries,

andqD= #Ddenotes the number of decryption queries. (Thus, q=qE+qD.)

σE =P_i∈Eli denotes the number of encryption query blocks, σD =P_i∈Dli

denotes the number of decryption query blocks, andσ=σE+σD=P_16i6qli

denotes the total number of query blocks (or, equivalently, the total number of output blocks). Lwill denote maxli_{, and for 1≤l≤L,q}

l={i|li=l}denotes

the set indices corresponding tol-block queries.

Interpolation Probability For an oracleO, given a finite setQof queries and a setRof responses, the interpolation probability IPrO[(Q,R)] is

de-fined as Pr[O(Q) = R], i.e., the probability that O takes Q to R. In our setup, we’ll simply write this as IPr[P →C]. (Note thatQ may here consist of elements from both P and C. The notation is just for convenience.) The interpolation probability for an ideal random permutation is given by

IPr∗[P→C] = Y 16l6L

1

PNl

ql

.

The standard inequalityPi j ≥(1−

j2 i)·i

j _{will often be used to obtain bounds}

on the interpolation probabilities.

choice of queries). Suppose that for a good view, the interpolation probability for a permutationE is not less than (1−1) times the interpolation probability for an ideal random permutation. Suppose further that for an ideal random permutation, a view is good with probability not less than (1−2). Then E cannot be distinguished from random with an advantage greater than1+2. This result is due to Jacques Patarin [5], and will be a key result in our security proofs.

The Construction The class of constructions we discuss here uses k layers of a secure Online or Online-But-Last CipherE alternated withk−1 layers of a simple linear mixing function, likerev, to get an SPRP, with birthday security (fork= 2,E secure Online-but-Last) and beyond-birthday secuirty (fork= 3,

E secure Online). We’ll deal with these two cases separately.

3

Two Layers of Secure Online Permutation

3.1

The Original Construction

LetE be a secure online permutation. The construction Π2

rev(E) originally

sug-gested consists of two layers ofEwith a layer ofrevin between. Thus, encryption isE ◦rev◦ E, and decryption isE−1_{◦rev◦ E}−1_.

3.2

Attack

It is easy to mount a 4-query SPRP attack on this construction, as shown in Figure 3.2. We begin with a three-block encryption query withp1p2p3 and get

c3c2c1 in response. Let E(p1p2p3) be calledx1x2x3. Thenc3c2c1=E(x3x2x1). We next make a two-block decryption query withc3c2, and getp02p03in response. Since E is online, E−1_(c

3c2) = x3x2, so p02p03 = E−1(x2x3). From this we see that

x2=E(p02).

Our third query is a two-block encryption query withp1p2, yieldingc02c01. Again,

E(p1p2) =x1x2, so E(x2x1) =c02c01. From this we see that

E(x2) =c02.

Finally, we make a one-block encryption query withp0₂. Since,x2 =E(p02) and

p1 p2 p3

x1 x2 x3

x3 x2 x1

c3 c2 c1

Query 1

p0₂ p0₃

x2 x3

x3 x2

c3 c2

Query 2

p1 p2

x1 x2

x2 x1

c0₂ c0₁

Query 3

p0₂

x2

x2

c0₂

Query 4

Figure 1: A 4-Query Attack

4

Two Layers of Secure Online-But-Last

Permu-tation for Birthday Security

4.1

Setup

In the new construction Π2

rev(E), keeping everything else the same, we letE be

a secure online-but-last permutation. We’ll show that this change is enough to grant it birthday security. For simplicity, we assume different keys are being used in the two layers of E, and call them E1 and E2. Thus, encryption is

E2◦rev◦ E1, and decryption is E1−1◦rev◦ E

−1

2 . For 1≤ i≤q, E1(pi) will be denotedxi_{. Xwill denote (x}1_{, ...,x}q_{). For notational convenience, we’ll add an}

extra layer ofrevat the bottom. Thus,ci_=E

2(xiR)R.

4.2

Freshness and Prefixes

Here we define two important notions, that we’ll need again in the next section, under slightly modified definitions.

Equivalence Query indices iandi0 are calledj-encryption equivalentfor somej <min(li_{, l}i0_{) if eitheri=i}0_{, or}

pi_1..j =pi0_1..j.

This is denoted asi∼ej i

0_{. Similarly,iandi}0 _{are calledj-decryption}

equiv-alentfor some j <min(li, li0) if eitheri=i0, or

ci(li−j+1)..li=c

i0

(l_i0−j+1)..l_i0.

This is denoted asi∼dj i

0_{. Clearly, wheneveri∼} ej i

0_{, we haveX}i j =Xi

0 j , and

wheneveri∼dj i

0_{, we haveX}i

li_−j+1=Xi

0

Freshness and Ancestors A query index i, 1 ≤ i ≤ q, is called j-fresh,

j ≥1 if j =li andi ∈E, or j = 1 and i∈D, or 1< j < li and @i0 ≤i with

j < li0 such thati∼ej i

0 _{or i∼} dj i

0_{. Wheniis j-fresh, X}i

j is called a fresh X

block. Theencryption j-ancestorof a query indexiis defined as

Ae_j(i) = min

i∼_eji0i 0_.

Similarly, thedecryption j-ancestorof a query indexi is defined as

Adj(i) = min i∼_dji0i

0_.

Prefix Matching LetPP=P({pi| i∈E}), andPC=P({ci|i∈D}). For w∈ PP, let mP(w) denote #{x|wx∈ PP}, andm−P(w) denote #{x|wx∈

PP−}, where

PP− ={w∈ PP |w does not intersect with last block ofpifor any i∈E}.

Also,mC(w) will denote #{x|wx∈ PC}, andm−C(w) will denote #{x|wx∈

PC−}, where

PC− ={w∈ P_C|w does not intersect with first block ofci for anyi∈D}.

4.3

Towards a Proof of Security

Claim We claim that the distinguishing advantage of an SPRP adversary over Π2

rev(E) cannot exceed

3q2 N .

We now develop some apparatus required for proving this claim.

Good Views A view{(δi₎

1≤i≤q,P,C} is calledgoodif:

• (∀i∈E)(@i0< i)(Clii =C

i0 li0),

• (∀i∈D)(@i0 < i)(P1i=Pi

0

1 ).

We shall show that the Interpolation Probability for a Good View under Π2

rev(E)

P1 P2 P3 P4 P5

E1

X1 X2 X3 X4 X5

rev

X5 X4 X3 X2 X1

E2

C5 C4 C3 C2 C1

rev

C1 C2 C3 C4 C5

Figure 2: SPRP construction with birthday security using two layers of an online-but-last cipherE around one layer of rev

Variables All X_ji’s will be called variables. They together represent the internal state of the entire computation.

Basis All fresh X blocks together form what we call the basis. Assigning values to the basis variables assigns values to all variables.

Extension Chains Pick i∈E, j∈ {1, ..., li_{}. ThenX}i

j is a variable. Letb1 bej, anda1beAej(i). Having obtainedb1, ..., bkanda1, ..., ak, we stop ifkis odd

andak ∈E, or ifkis even andak ∈D. Otherwise, letbk+1=lak−1−bk, and

ak+1 be Aδ ak

bk+1(ak). Sinceak+1 > ak, this terminates after finitely many steps,

say upon obtaining ak0. Then we call ((b1, a1), ...,(bk0, ak0)) the extension chainofX_ji.

Admissibility An assignment of values to the basis variables is called ad-missibleif:

• (_@i, i0∈E)(Xi li =Xi

0

li0)

• (@i, i0∈D)(X1i =Xi

0

• piandxi are online-but-last compatible for eachi

• ciR _andxiR_{are online-but-last compatible for eachi}

Extending an admissible assignement Suppose we’ve assigned values to all basis variables, such that the assignment does not violate any of the admis-siblity criteria. We’ll extend it to get an admissible assignment for all variables.

X1

j is a basis for 1≤j≤l1. For somei0>1, having assigned values to all Xji

for 1≤i < i0,1≤j≤li, we put, for 1≤j ≤li0, Xji0 =X Ae

j(i0)

j ifi0∈E, and

Xi0

li0−j+1=X

Ad j(i0)

lAdj(i0 )_−j+1 ifi0∈D.

Every admissible choice of basis blocks leads to a unique assignment of values to the variables that is compatible with the given (good) view. That the assignment is unique is trivial, because the basis elements are themselves variables. To see that the assignment is compatible with the given view, we just note that every variable takes the value of a unique basis variable, that can be located by tracing back along the extension chain till we stop. Instead of talking of an admissible assignment for basis variables, we’ll simply talk instead of an admissibleX.

4.4

The Proof

Interpolation Probability We shall show in the next section that

IPr[P→C]≥ (1−1)

Nσ ,

where1=q

2

N.

Ideal Random Permutation The interpolation probability for an ideal ran-dom permutation is given by

IPr∗[P→C] = Y 16l6L

1

PNl

ql

≤ Y

16l6L

1

(1− ql2

Nl)·Nlql

≤ 1

Nσ ·

1

1− P

16l6L q2

l

Nl

≤ 1

Nσ ·

1 1−1

sinceq=P

16l6Lql.

Thus,

IPr[P→C]≥(1−21)·IPr∗[P→C].

Applying Patarin’s Technique Let 2 denote the probability of a view being bad under an ideal random permutation. Then

2≤

X

16i6q

i N ≤1.

Thus, by Patarin’s Technique, we can conclude that the distinguishing advan-tage cannot exceed 3_Nq2, as claimed.

4.5

Calculating the Interpolation Probability

Counting Admissible Assignments Let A = {X|Xis admissible}. We want to count #A. The blocks{Xi

li}i∈E, {X1i}i∈D can be chosen inPqNE·P

N qD ways. The remaining blocks can be chosen in (Q

w∈PPP

N m−_P(w))·(

Q w∈PCP

N m−_C(w)) ways. Thus,

#A=P_qN

E·P

N qD·(

Y

w∈PP

PN

m−_P(w))·(

Y

w∈PC

PN

m−_C(w)).

A Bound on the Total Number of Possible Assignments Recalling that

E1and E2are online-but-last, the total number of choices for Xcannot exceed (Q

w∈PPP

N

m−_P(w))·N

σE_·(Q

w∈PCP

N

m−_C(w))·N

σD_·Nq_.

Interpolation Probability

IPr[P→C]≥ X

X∈A

Pr[E1(P) =X]·Pr[E2(rev(X)) =rev(C)]

≥ #A

(Q w∈PPP

N

m−_P(w))·N

σE·₍Q

w∈PCP

N

m−_C(w))·N

σD ·_Nq

=P

N qE·P

N qE

Nq ·

1

Nσ

≥(1−

q2_E N)·N

qE_·(1−q

2

E

N )·N qE

Nq ·

1

Nσ

≥(1−1)

x1 x2 x3 x4

K

E

K

y1 y2 y3 y4

E0

Figure 3: Getting online-but-last from online

as claimed in the previous section, which completes the proof.

4.6

Obtaining an Online-but-Last Cipher from an Online

Cipher

We now state an easy way of getting an Online-but-last Cipher from an Online Cipher. SupposeEis a secure Online cipher, and let +K represent the function

that adds K to the last block of the input. Then E0_{(K, .) = +}

K◦ E ◦+K is

a secure Online-but-last Cipher, with an extra key K. This is illustrated in Figure 4.6.

This construction is Online-but-last secure because, for any plaintext with l

blocks, the firstl−1 blocks are simply encrypted through E, and thus behave like they come from an ideal random Online permutation, as required, and since

Kis chosen randomly, the last block of the output is uniform. Thus, the output behaves like it comes from an ideal random Online-but-last permutation.

5

Three Layers of Secure Online Permutation

for Beyond-Birthday Security

5.1

Setup

LetE now be a secure online permutation. The construction Π3rev(E) consists

E1, E2 and E3. Thus, encryption is E3◦rev◦ E2◦rev◦ E1, and decryption is

E₁−1◦rev◦ E₂−1◦rev◦ E₃−1. For 1≤i≤q,E1(pi) will be denotedxi, andE3−1(c

i₎

will be denoted yi. (Thus,E2(xiR) =yiR.) Xwill denote (x1, ...,xq), and Y will denote (y1, ...,yq).

5.2

Freshness and Prefixes Revisited

We come back to these two notions we defined earlier, and now give them slightly modified definitions, as suited to this problem.

Equivalence The definition of j-encryption equivalenceremains the same as before. However,i and i0 will now be calledj-decryption equivalentfor somej <min(li_{, l}i0_{) if eitheri=i}0_{, or}

ci1..j =ci 0

1..j.

Wheneveri∼ej i

0_{, we still haveX}i j=Xi

0

j, and wheneveri∼dj i

0_{, we now have}

Y_ji =Y_ji0. j-freshness and j-ancestors are now defined as before, using our new definitions of equivalence instead of the old ones.

Prefix Matching We now let PP denote simply, P({pi|1 ≤i ≤q}), and

PC denote P({ci| 1 ≤i ≤q}). Further, while w ∈ PP, mP(w) continues to

denote #{x|wx∈ PP},m−P(w) now stands for #{x|wx∈ PP−}, where

PP−={w∈ P_P |w does not intersect with the last two block of anypi}.

Similarly, mC(w) still denotes #{x| wx ∈ PC}, but m−_C(w) now stands for

#{x|wx∈ PC−}, where

PC−={w∈ PC|w does not intersect with the last two blocks of anyci}.

5.3

Congruences and Partitions

A congruence∼on the set{1, ..., q}with exactlykcongruence classes, 1≤k≤q, is called a k-partition. (When we writek in the calculations, the ∼it refers to will be clear from the context.) Let n1[∼], ..., nk[∼] denote the sizes of the

partitions in decreasing order. Let Πk denote the set of allk-partitions, with

Π =∪kΠk. LetS[∼] denote the set of q-block sequences compatible with the

P1 P2 P3 P4 P5

E

X1 X2 X3 X4 X5

rev

X5 X4 X3 X2 X1

E

Y5 Y4 Y3 Y2 Y1

rev

Y1 Y2 Y3 Y4 Y5

E

C1 C2 C3 C4 C5

Figure 4: SPRP construction with beyond-birthday security using three layers of an online cipherE around two layers of rev

5.4

Towards a Proof of Security

Claim We claim that the distinguishing advantage of an SPRP adversary over Π3rev(E) cannot exceed

2q2

N2.

We shall, as before, develop some apparatus for the proof. The notions intro-duced will be mostly ones that were also used, under slightly different definitions, in the previous proof. (Note that, for this proof, we do not need to classify any view as bad, thus eliminating the second term in Patarin’s result.)

Variables {Xi

j, Yji,1≤i≤q,1≤j≤li} will be the variables here.

Basis We now construct the basisB. Fori∈E:

• X_ji∈B ifiisj-fresh

• Yi

1 ∈B if (∀i0 < i)(C1i 6=Ci

0

1)

• Yi

Fori∈D:

• Y_ji∈B ifiisj-fresh

• Xi

1∈B if (∀i0 < i)(P1i6=Pi

0

1 )

• Xi

j ∈B,2≤j≤li

Extension Fori∈E, ifY1i6∈B, find first occurrenceC1i, i.e., smallesti0with

C1i = Ci

0

1. Then Y1i = Yi

0

1 , and Yi

0

1 ∈ B. If Xji 6∈ B, findi0 =A j

e(i). Then

Xi j=Xi

0

j, andXi 0

j ∈B. Similarly fori∈D.

Admissibility We call an assignment of values to the variables admissible if it satisfies the following criteria:

• Fori6=i0, (X_lii₋₁, X

i li)6= (X

i0 li0₋₁, X

i0 li0)

• Fori6=i0, (Y_lii₋₁, Y

i li)6= (Y

i0 li0₋₁, Yi

0

li0)

• Fori6=i0,X_lii=X

i0

li0 if and only ifY_lii =Y

i0 li0

• pi_andxi _{are online-but-last compatible for eachi}

• ci_andyi_{are online-but-last compatible for eachi}

5.5

The Proof

Interpolation Probability We shall show that

IPr[P→C]≥(1−)· 1

PN q−q

· 1

Nσ−(q−q),

Ideal Random Permutation Now,

IPr∗[P→C] = Y 16l6L

1

PNl

ql

≤ 1

PN q1

· Y

26l6L

1

(1− q2l

Nl)·Nlql

≤ 1

PN q1

· 1

Nσ−q1 ·

1

1− P

26l6L q2

l

Nl

≤ 1

PN q1

· 1

Nσ−q1 ·

1

1−(q−q1)2

N2

.

Puttingq1=q−q, we have

IPr∗[P→C]≤ 1

PN q−q

· 1

Nσ−(q−q) · 1 1−.

Applying Patarin’s Technique We conclude that

IPr[P→C]≥(1−2)·IPr∗[P→C],

from which Patarin’s Result tells us that the distinguishing advantage cannot exceed 2_Nq22.

5.6

Calculating the Interpolation Probability

Interpolation Probability in terms of Prefix Match counts We initially assume li ≥ 2,1 ≤ i ≤ q, and later incorporate the case where single block queries are allowed. We’ll show that

IPr[P→C]≥PqN2·N2q·

Q

w∈PP

PN m−_P(w)·

Q

w∈PC

PN m−_C(w)

Q

w∈PP

PN mP(w)·

Q

w∈PC

PN mC(w)

· 1

Nσ.

Counting Admissible Assignments We shall count the number of admis-sible (X,Y) pairs. We begin with the last blocks, for which we have an equal-ity restriction, and the last-but-one blocks. Let last(X) denote the column

{Xi

li}1≤i≤q, andlbo(X) denote the column{Xlii₋₁}1≤i≤q. Similarly, letlast(Y)

denote the column{Yi

The Last Blocks Fix∼. Clearly,

#S[∼] =Pkn,

since∼allows onlykdistinct values. Thus,

#{(last(X),last(Y))| last(X)∈S[∼],last(Y)∈S[∼]}= (P_kN)2.

Now, by the admissibility criteria, wheneverXi li =Xi

0

li0, i.e., whenever i ∼i

0_,

we need Xi

li₋₁ 6= Xi

0

li0₋₁, and similarly for Y. Thus, given a valid choice of (last(X),last(Y)), we have

#{valid (lbo(X),lbo(Y))}= (

k

Y

i=1

P_nN

i[∼]) 2_.

Thus, the total number of valid choices for the last two blocks of Xand Y is (PN

k ·

Qk i=1P

N ni[∼])

2_.

The Remaining Blocks The remaining blocks need to be chosen so as to maintain online compatibility with P and C. Let T[∼] denote the set

{(X,Y) admissible|last(X)∈S[∼],last(Y)∈S[∼]}. Then

#T[∼] = ( Y

w∈PP

P_mN−

P(w)

)·( Y

w∈PC

P_mN−

C(w)

)·(P_kN ·

k

Y

i=1

P_nN

i[∼]) 2_.

We note here that

X

∼∈Π (P_kN·

k

Y

i=1

Interpolation probability Next we obtain an expression for the interpola-tion probability.

IPr[P→C]

≥ X

∼∈Π

X

(X,Y)∈T[∼]

Pr[E(P) =X]·Pr[E(rev(X)) =rev(Y)]·Pr[E(Y) =C]

=X

∼∈Π

X

(X,Y)∈T[∼]

1

Q

w∈PP

PN mP(w)

·( 1

Nσ−2q ·

1 PN k · 1 k Q i=1 PN ni[∼]

)· _Q 1

w∈PC

PN mC(w)

= _Q 1

w∈PP

PN mP(w)·

Q

w∈PC

PN mC(w)

· 1

Nσ−2q ·

X

∼∈Π

X

(X,Y)∈T[∼]

1 PN k · k Q i=1 PN ni[∼]

= _Q 1

w∈PP

P_mN

P(w)·

Q

w∈PC

P_mN

C(w) · 1

Nσ−2q·

X

∼∈Π

Q

w∈PP

PN

m−_P(w)·

Q

w∈PC

PN

m−_C(w)·(P

N k ·

Qk

i=1P

N ni[∼])

2 PN k · k Q i=1 PN ni[∼]

=PqN2·N2q·

Q

w∈PP

PN m−_P(w)·

Q

w∈PC

PN m−_C(w)

Q

w∈PP

PN mP(w)·

Q

w∈PC

PN mC(w)

· 1

Nσ,

as claimed before.

Allowing Single-Block Queries The above analysis assumes all queries to have two or more blocks. Now we analyse the case when single-block queries are allowed. The counting for the last blocks remains the same, except that the single-block queries must correspond to distinct last blocks in the equivalence relation. The counting for the last-but-one blocks, however, need to be adjusted to accommodate the single-block queries. We shall show that

IPr[P→C]≥P_qN2·P_q−qN ·Nq+q·

Q

w∈PP

P_mN−

P(w) · Q

w∈PC

P_mN−

C(w)

Q

w∈PP

PN mP(w)·

Q

w∈PC

PN mC(w)

· 1

Nσ.

Fixing the Counts Suppose1⊂ {1, ..., q}is the set of all single-block query indices. We now fix a∼as before, with the additional restriction that∼puts the indices in1into distinct classes. (We call the collection of equivalence relations satisfying this new criterion Π∗.) Letπ1[∼], ..., πk[∼] denote the partitions of∼

arranged in order of decreasing size. (Thus, for 1≤i≤k,ni[∼] = #πi[∼].) We

correspond to indices of length two or more. (Note that n1[∼], ..., nk[∼] need

not be in decreasing order. But that will not bother us.)

In counting the last-but-one blocks, we’ll now simply ignore the single-block queries, and count for the rest. The modified expression is thus

#T[∼] = ( Y

w∈PP

P_mN−

P(w)

)·( Y

w∈PC

P_mN−

C(w)

)·(P_kN ·

k

Y

i=1

P_nN

i[∼]) 2_.

Letqdenoteq−#1, the number of queries with two or more blocks. Then the new expression for Pr[E(rev(X)) = rev(Y)] in our calculation of IPr[P → C] becomes

1

Nσ−(q+q) · 1 PN k · 1 k Q i=1 PN ni[∼]

.

Putting it back in the Earlier Expression We note next that

X

∼∈Π∗

(PkN· k

Y

i=1

P_nN_i[∼]) =PqN2·P N q−q,

and putting this in our earlier calculation gives

IPr[P→C]≥PqN2·Pq−qN ·Nq+q·

Q

w∈PP

PN m−_P(w)·

Q

w∈PC

PN m−_C(w)

Q

w∈PP

PN mP(w)·

Q

w∈PC

PN mC(w)

· 1

Nσ,

as claimed.

Simplifying the Inequality We shall show next that

Q

w∈PP

PN m−_P(w)·

Q

w∈PC

PN m−_C(w)

Q

w∈PP

PN mP(w)·

Q

w∈PC

PN mC(w)

≥ 1

(PN q−q)2

· 1

N4q.

We begin by analysing the prefix-match counts. Now,

PN m−_P(w)

PN mP(w)

= 1

PN−m

−

P(w)

mP(w)−m−P(w)

≥ 1

NmP(w)−m−P(w)

and similarly for

PN

m−_C(w)

PN m_C(w)

. It is easy to see that

X

w∈PP

(mP(w)−m−P(w)) = #(PP\ PP−),

X

w∈PC

(mC(w)−m−C(w)) = #(PC\ PC−).

By construction of the setsPP and PP−, each element ofP_P\ P_P− must

cor-respond to a distinctxsuch thatxis one of the last two blocks ofpi for some

i. Thus, #(PP\ PP−)≤q+q, and similarly #(P_C\ P_C−)≤q+q.

Letλbe the empty word. For eachi∈1, Xi li =X

i

1 is inPP but not in PP−.

Thus, mP(λ)−m−P(λ) ≥ q−q, and similarly mC(λ)−mC−(λ) ≥ q−q. Let

aP=mP(λ)−m−P(λ)−(q−q), andaC=mC(λ)−mC−(λ)−(q−q). So,

X

w∈PP,w6=λ

(mP(w)−m−P(w))≤2q−aP,

X

w∈PC,w6=λ

(mC(w)−m−C(w))≤2q−aC.

From this we conclude that

Q

w∈PP

PN m−_P(w)·

Q

w∈PC

PN m−_C(w)

Q

w∈PP

PN mP(w)·

Q

w∈PC

PN mC(w)

≥ 1

(PN q−q)2

· 1

N4q−aP−aC ≥

1 (PN

q−q)2

· 1

N4q,

as claimed.

The Final Expression Putting all this together, we have

IPr[P→C]≥ P

N2

q

PN q−q

· 1

N3q−q ·

1

Nσ

≥(1−)· 1

PN q−q

· 1

Nσ−(q−q),

which completes the proof.

5.7

Improved Security for Queries of Size at least

2

m

When all the queries are guaranteed to be at least 2m blocks long, for some

Claim When each query is guaranteed to have at least 2mblocks, the distin-guishing advantage of an SPRP adversary over Π3

rev(E) cannot exceed

2q2 N2m.

Proof of Claim We’ll show below that

IPr[P→C]≥ 1−

Nσ ,

where= _Nq22m.

We recall that

IPr∗[P→C] = Y 16l6L

1

PNl

ql

.

From this we get

IPr∗[P→C]≤ Y

16l6L

1

(1− ql2

Nl)·Nlql

≤ 1

Nσ ·

1

1− P

16l6L q2

l

Nl

.

Now,Nl_≥N2m_{for eachl, and}P

16l6Lq

2

l ≤q2. Thus,

IPr∗[P→C]≤ 1

Nσ ·

1 1−.

As before, we conclude that

IPr[P→C]≥(1−2)·IPr∗[P→C],

from which Patarin’s Result tells us that the distinguishing advantage cannot exceed _N2q22m.

Calculating the Interpolation Probability We’ll begin by showing that

IPr[P→C]≥P_qN2m·N2mq·

Q

w∈PP

PN m−_P(w)·

Q

w∈PC

PN m−_C(w)

Q

w∈PP

PN mP(w)·

Q

w∈PC

PN mC(w)

· 1

Nσ.

Arguing as before, #(PP\ PP−)≤2mq, and #(P_C\ P_C−)≤2mq. Thus,

Q

w∈PP

PN m−_P(w)·

Q

w∈PC

PN m−_C(w)

Q

w∈PP

PN mP(w)·

Q

w∈PC

PN mC(w)

≥ 1

Putting all this together, we have

IPr[P→C]≥P

N2m q

N2mq ·

1

Nσ ≥

1− Nσ ,

where= _Nq22m.

Counting Admissible Assignments As before, we bound the Interpolation Probability by counting the number of admissible assignments. Now, instead of counting the last two blocks separately, we count the last 2mblocks separately.

Last2mBlocks Let∼now denote an equivalence relation over the last 2m−1 blocks, i.e., on the set{1, ..., q}2m−1_{, withk, n}

1[∼], ..., nk[∼] defined as before.

Clearly, the number of valid choices for the last 2m blocks of X and Y is (PN2m−1

k ·

Qk

i=1P

N ni[∼])

2_.

The Remaining Blocks For w ∈ PP, let m−_P(w) now denote #{x|wx ∈

PP−}, where

PP− ={w∈ P_P|wdoes not intersect with last 2mblocks ofpifor anyi},

withm−_C(w) similarly defined.

Let T[∼] now denote the set {(X,Y) admissible|last 2m−1 blocks ofX ∈

S[∼], last 2m−1 blocks ofY∈S[∼]}. Then

#T[∼] = ( Y

w∈PP

P_mN−

P(w)

)·( Y

w∈PC

P_mN−

C(w)

)·(P_kN2m−1·

k

Y

i=1

P_nN

i[∼]) 2_.

Also,

X

∼∈Π

(PkN2m−1· k

Y

i=1

P_nN_i[∼]) =PqN2m.

Interpolation Probability The new expression for Pr[E(rev(X)) =rev(Y)] in our calculation of IPr[P→C] becomes

1

Nσ−2mq ·

1

PN2m−1

k

· 1

k

Q

i=1

PN ni[∼]

Substituting the expression for #T[∼] above and summing over∼, we have

IPr[P→C]≥P_qN2m·N2mq·

Q

w∈PP

PN m−_P(w)·

Q

w∈PC

PN m−_C(w)

Q

w∈PP

PN mP(w)·

Q

w∈PC

PN mC(w)

· 1

Nσ,

which completes the proof.

6

Conclusion

In conclusion, we recall that while three passes of a secure online cipher inter-leaved with a simple mixing layer ensures beyond-birthday SPRP security, two passes with a reverse in between falls short of SPRP security. This can be fixed by a slight compromise in the efficiency of the secure online cipher, by replacing it with a secure online-but-last cipher. We also note the importance of simple and transparent security proofs, and the usefulness of Patarin’s Technique in achieving this.

References

[1] Elena Andreeva, Guy Barwell, Dan Page, and Martijn Stam. Turning online ciphers off. Cryptology ePrint Archive, Report 2015/485, 2015. http:// eprint.iacr.org/.

[2] Elena Andreeva, Andrey Bogdanov, Atul Luykx, Bart Mennink, Elmar Tis-chhauser, and Kan Yasuda. Parallelizable and authenticated online ciphers. Cryptology ePrint Archive, Report 2013/790, 2013. http://eprint.iacr. org/.

[3] O. Goldreich. Foundations of Cryptography: Fragments of a Book. Weiz-mann Institute of Science, 1995.

[4] Shai Halevi and Phillip Rogaway. A tweakable enciphering mode. In Dan Boneh, editor,Advances in Cryptology - CRYPTO 2003, volume 2729 of Lec-ture Notes in Computer Science, pages 482–499. Springer Berlin Heidelberg, 2003.

[5] Jacques Patarin. The coefficients h technique. In RobertoMaria Avanzi, Liam Keliher, and Francesco Sica, editors,Selected Areas in Cryptography, volume 5381 ofLecture Notes in Computer Science, pages 328–345. Springer Berlin Heidelberg, 2009.

volume 6558 ofLecture Notes in Computer Science, pages 237–249. Springer Berlin Heidelberg, 2011.